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BY  THE  U  S.  GENERAL  ACCOUNTING  OFFICE 

Report  To  The  Secretary  Of  Defense  ^ 

_  AD- A 140  934 _ 

Department  Of  Defense's  First-Year 
Implementation  Of  The  Federal 
Managers'  Financial  Integrity  Act 


GAO  conducted  a  review  of  22  federal 
agencies'  efforts  to  implement  the  Federal 
Managers'  Financial  Integrity  Act  of  1982. 
The  act  was  intended  to  help  reduce  fraud, 
waste,  and  abuse  across  the  spectrum  of 
federal  government  operations  through 
annual  agency  self-assessments  of  their 
internal  controls  and  accounting  systems. 

This  report  highlights  the  progress  made 
and  problems  encountered  by  the  Depart¬ 
ment  of  Defense  in  its  first  year  of  expe¬ 
rience  with  this  new  act.  The  report  focuses 
on  Defense's  efforts  to  evaluate  internal 
controls,  review  accounting  systems,  and 
improve  the  evaluation  processes  as  a  result 
of  identified  problems. 
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United  states  General  accounting  office 

WASHINGTON.  D.C.  20548 


NATIONAL  SECURITY  AND 
INTERNATIONAL  AFFAIRS  DIVISION 


B-202205 


The  Honorable  Caspar  W.  Weinberger 
The  Secretary  of  Defense 

Dear  Mr.  Secretary: 

This  report  summarizes  the  results  of  our  reviews  of  the 
Department  of  Defense's  (DOD's)  efforts  to  implement  and  comply 
with  the  Federal  Managers'  Financial  Integrity  Act  of  1982. 

This  act  affects  executive  agencies  including  all  services, 
agencies,  and  offices  within  DOD.  These  reviews  were  part  of  a 
governmentwide  assessment  of  the  act's  first-year 
implementation. 

Our  reviews  of  DOD's  implementation  were  performed  at  the 
Departments  of  the  Army,  Navy,  and  Air  Force;  the  Defense 
Logistics  Agency;  and  the  Defense  Mapping  Agency — five  of  the  24 
reporting  centers  established  by  DOD.  We  are  issuing  separate 
reports  to  these  five  centers  (see  app.  Ill)  and  are  providing 
copies  to  your  office.  We  also  reviewed  the  policies  and 
procedures  established  by  your  office  in  response  to  the  act. 

The  act  requires  continuing  evaluations  and  an  annual 
statement  to  the  President  and  to  the  Congress  concerning  the 
adequacy  of  each  executive  agency's  systems  of  internal 
accounting  and  administrative  controls.  It  also  requires  each 
agency  to  report  annually  on  whether  its  accounting  systems 
conform  to  the  principles,  standards,  and  related  requirements 
prescribed  by  the  Comptroller  General  of  the  United  States.  We 
believe  full  implementation  of  the  act  will  enable  the  heads  of 
executive  agencies  to  identify  their  major  internal  control  and 
accounting  problems  and  improve  controls  essential  to  the 
development  of  effective  management  control  systems,  as  well  as 
a  sound  financial  management  structure  for  their  agencies. 

Further  details  of  the  act  and  our  objectives,  scope  and 
methodology  are  in  appendix  I. 
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OBSERVATIONS 


In  your  December  28,  1983,  statement  to  the  President  and 
the  Congress,  you  reported  broad  areas  in  which  internal  control 
weaknesses  had  been  corrected  or  corrective  actions  were 
required.  You  also  reported  on  deficiencies  in  DOD's  accounting 
systems.  Additional  information  on  the  statement  is  in 
appendix  I.  Appendix  II  provides  details  on  the  areas  having 
internal  control  weaknesses. 

We  found  that  DOD  has  made  progress  in  complying  with  the 
requirements  of  the  act.  DOD  published  its  internal  control 
directive  (Directive  7040.6)  on  March  24,  1982,  in  response  to 
Office  of  Management  and  Budget  Circular  A-123.  The  directive 
assigns  responsibility  to  reporting  center  heads  for  developing 
and  implementing  plans  for  vulnerability  assessments  and  inter¬ 
nal  management  control  reviews  and  for  responding  to  reporting 
requirements.  All  centers  scheduled  and  completed  their  assess¬ 
ments  by  December  1982.  Based  on  these  assessments,  the  centers 
prepared  plans  for  conducting  internal  control  reviews. 

In  spite  of  the  progress,  some  problems  and  delays  have 
been  encountered  which  have  affected  the  implementation  of  fully 
satisfactory  programs  DOD-wide.  Many  of  these  have  DOD-wide 
implications;  some  are  unique  to  specific  reporting  centers. 

For  example,  the  DOD-wide  problems  include  (1)  early  DOD-wide 
guidance  for  making  vulnerability  assessments  excluded  such 
evaluation  factors  as  budgeting  and  reporting  practices,  and 
program  age  and  life  expectancy;  (2)  persons  involved  in  the 
internal  control  process  at  the  five  centers  reviewed  needed 
additional  and/or  better  training  which  would  provide  practical 
instructions  on  how  to  perform  evaluations;  and  (3)  some  report¬ 
ing  centers  did  not  include  all  organizational  and/or  func¬ 
tional  elements  when  dividing  the  centers  into  assessable  units. 
Moreover,  one  nonappropriated  fund  organization — the  Army  and 
Air  Force  Exchange  Service — did  not  comply  with  the  act  because 
the  Exchange  Service  decided  that  it  was  not  subject  to  the 
act's  requirements.  However,  the  Exchange  Service's  large 
volume  of  sales  ($4.3  billion  in  fiscal  year  1982),  and  its 
recent  history  of  weak  internal  controls  make  it  vulnerable  to 
loss,  waste,  unauthorized  use  or  misappropriation  of  assets. 
These  items  and  others  are  discussed  further  in  appendix  I  and 
in  our  reports  on  the  individual  reporting  centers. 

DOD  has  drafted  a  revision  to  its  internal  control 
directive.  The  revision  will  require  reporting  centers  to 
establish  a  formal  follow-up  system  to  record  and  track  (1) 
deficiencies  disclosed  by  any  source,  (2)  scheduled  corrective 
actions,  and  (3)  established  completion  dates  for  those 
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corrective  actions.  The  reporting  centers  we  visited  have 
developed  or  are  in  the  process  of  developing  such  systems.  We 
plan  to  closely  monitor  progress  in  this  area  in  the  future. 

We  also  found  that  the  military  departments  and  the  Defense 
Logistics  Agency  made  determinations  on  accounting  systems  com¬ 
pliance  with  the  Comptroller  General's  accounting  principles  and 
standards  based  on  the  experience,  knowledge,  and  observations 
of  accounting  officials.  The  Defense  Mapping  Agency  based  its 
report  on  the  determinations  made  by  the  Air  Force  because  it 
uses  the  Air  Force's  accounting  system  software.  DOD  plans  to 
provide  additional  guidance  for  evaluating  its  accounting 
systems.  The  guidance  will  include  assigning  responsibilities 
for  documenting  accounting  system  designs,  testing  systems  in 
operation,  and  tracking  reported  accounting  system  problems. 

CONCLUSIONS 

In  summary,  DOD  has  made  progress  in  implementing  the 
Financial  Integrity  Act.  In  order  to  have  a  fully  satisfactory 
program  departmentwide,  improvements  are  needed  in  certain 
areas,  some  of  which  are  highlighted  in  this  report.  Details  of 
these  and  other  areas  needing  attention  are  presented  in  our 
reports  to  the  heads  of  the  five  reporting  centers  we  reviewed 
this  year. 

DOD  has  recognized  the  need  to  make  improvements  in  its 
internal  control  evaluation  process  and  has  taken  or  plans  to 
take  corrective  actions  in  each  of  the  areas  where  we  identified 
weaknesses.  We  believe  that  these  corrective  actions  will 
enhance  DOD's  efforts  to  comply  with  the  act  in  the  future  and 
provide  the  basis  for  more  meaningful  statements  regarding  DOD's 
internal  controls. 

AGENCY  COMMENTS 

In  commenting  on  a  draft  of  this  report,  DOD  concurred  with 
our  findings  and  proposals.  (See  app.  IV.)  DOD  also  described 
its  planned  and  completed  actions  to  correct  the  problems 
discussed . 

One  issue  addressed  in  a  draft  of  this  report,  which 
required  consideration  by  your  office,  was  the  matter  of  whether 
the  Army  and  Air  Force  Exchange  Service  is  subject  to  the  act. 

In  a  letter  dated  March  8,  1984,  DOD's  General  Counsel  office 
concluded  that  nonappropriated  fund  activities,  including  the 
Exchange  Service,  are  not  covered  by  the  act.  We  had  proposed 
that,  as  a  matter  of  policy,  you  (1)  direct  the  Army  and  Air 
Force  Exchange  Service  to  follow  the  provisions  of  the  act  and 
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(2)  assign  permanent  responsibility  for  the  Exchange  Service's 
internal  control  evaluation  process  to  either  the  Secretary  of 
the  Army  or  the  Secretary  of  the  Air  Force. 

In  a  letter  dated  March  27,  1984,  DOD  agreed  to  revise  its 
internal  control  directive  to  include  nonappropriated  fund 
instrumentalities  as  a  matter  of  policy.  (See  app.  IV.)  DOD 
also  requested  that  the  Secretaries  of  the  Army  and  Air  Force 
agree  to  a  permanent  assignment  of  responsibility  for  the 
purpose  of  fulfilling  the  requirement  of  the  directive  in 
respect  to  the  Exchange  Service  by  the  close  of  fiscal  year 
1984.  We  believe  that  this  action  is  satisfactory  and  plan  to 
continue  monitoring  the  Exchange  Service's  implementation  of  the 
directive. 

As  a  result  of  DOD's  planned  and  completed  corrective 
actions,  we  are  not  making  any  recommendations  in  this  report  or 
in  our  reports  to  center  heads. 


We  are  sending  copies  of  this  report  to  the  Director, 

Office  of  Management  and  Budget;  the  Chairmen,  Senate  Committees 
on  Governmental  Affairs,  Appropriations,  Armed  Services,  and  the 
Budget;  and  the  Chairmen,  House  Committees  on  Government 
Operations,  Appropriations,  Armed  Services,  and  the  Budget.  We 
are  also  sending  copies  to  the  Secretaries  of  the  Army,  Navy, 
and  Air  Force;  and  the  Directors,  Defense  Logistics  and  Defense 
Mapping  Agencies. 

We  appreciate  the  courtesy  and  cooperation  Defense 
personnel  extended  to  us  during  our  reviews. 

Sincerely  yours, 

\*JL(LCL.Aa^ 

Frank  C.  Conahan 

Director 
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POD'S  FIRST-YEAR  IMPLEMENTATION  OF  THE  FEDERAL 
MANAGERS'  FINANCIAL  INTEGRITY  ACT 


THE  FINANCIAL  INTEGRITY  ACT 

The  Congress,  in  1982,  enacted  the  Federal  Managers' 
Financial  Integrity  Act,  31  U.S.C.  3512(b)  and  (c),  in  response 
to  continuing  disclosures  of  waste,  loss,  unauthorized  use,  or 
misappropriation  of  assets  across  a  wide  spectrum  of  government 
operations  which  were  largely  attributable  to  serious  weaknesses 
in  agencies'  internal  controls.  The  act  was  designed  to 
strengthen  the  existing  requirement  of  the  Accounting  and 
Auditing  Act  of  1950  that  executive  agencies  establish  and  main¬ 
tain  systems  of  accounting  and  internal  control  to  provide 
effective  control  over  and  the  accountability  for  all  funds, 
property,  and  other  assets  for  which  the  agency  is  responsible, 
31  U.S.C.  3512(a)(3). 

We  believe  that  full  implementation  of  the  Financial 
Integrity  Act  will  enable  the  heads  of  federal  departments  and 
agencies  to  identify  their  major  internal  control  and  accounting 
problems  and  improve  controls  essential  to  the  development  of  an 
effective  management  control  system  and  a  sound  financial  man¬ 
agement  structure.  To  achieve  this,  the  act  requires: 

— Each  agency  to  establish  and  maintain  its  internal 
accounting  and  administrative  controls  with  the 
standards  prescribed  by  the  Comptroller  General,  so 
as  to  reasonably  ensure  that:  (1)  obligations  and 
costs  comply  with  applicable  law;  (2)  all  funds, 
property,  and  other  assets  are  safeguarded  against 
waste,  loss,  unauthorized  use,  or  misappropriation; 
and  (3)  revenues  and  expenditures  applicable  to 
agency  operations  are  recorded  and  properly 
accounted  for. 

— Each  agency  to  evaluate  and  report  annually  on 
internal  control  systems.  The  report  is  to  state 
whether  agency  systems  of  internal  control  comply 
with  the  objectives  of  internal  controls  set  forth 
in  the  act  and  with  the  standards  prescribed  by  the 
Comptroller  General.  The  act  also  provides  for  the 
agency  report  to  identify  the  material  weaknesses 
involved  and  describe  the  plans  for  corrective 
action. 
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— Each  agency  to  prepare  a  separate  report  on  whether 
the  agency's  accounting  systems  conform  to 
principles,  standards,  and  related  requirements  pre¬ 
scribed  by  the  Comptroller  General. 

— The  OMB  to  issue  guidelines  for  federal  departments 
and  agencies  to  use  in  evaluating  their  internal 
accounting  and  administrative  control  systems. 

These  guidelines  were  issued  in  December  1982. 

— The  Comptroller  General  to  prescribe  standards  for 
federal  agencies'  internal  accounting  and  admin¬ 
istrative  control  systems.  The  Comptroller  General 
issued  these  standards  in  June  1983. 

The  Comptroller  General's  presentation  at  the  September  29, 
1983,  meeting  of  the  assistant  secretaries  for  management  out¬ 
lined  his  expectations  for  agency  efforts  to  report  on  conform¬ 
ing  accounting  systems  to  the  Comptroller  General's  principles 
and  standards  (section  4  of  the  act).  Recognizing  that  not  all 
agencies  had  begun  work  to  implement  section  4,  the  Comptroller 
General  emphasized  the  following  constructive  actions  which 
could  be  taken  to  provide  building  blocks  for  future  years' 
implementation: 

— Organize  for  completing  accounting  systems  evalu¬ 
ations  and  issue  needed  written  policies  and 
procedures. 

— Inventory  accounting  systems. 

— Identify  prior  reported  system  deviations. 

— Rank  the  systems  according  to  the  materiality  of 
potential  deviations  from  our  accounting  principles 
and  standards. 

— Initiate  reviews  of  systems. 

— Plan  for  the  first-year  report. 

This  report  is  one  of  GAO's  22  reports  on  federal  agencies' 
efforts  to  implement  the  act. 

IMPLEMENTING  THE  ACT 

In  order  to  implement  the  act  aepartmentwiae ,  DOD  was 
divided  into  24  reporting  centers.  Each  center  was  required  to 
implement  an  internal  control  program  and  report  to  the 
Secretary  of  Defense  on  the  adequacy  of  its  systems  of  internal 
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accounting  and  administrative  controls.  The  centers  we  reviewed 
also  reported  on  whether  their  accounting  systems  conformed  to 
the  principles,  standards,  and  related  requirements  prescribed 
by  the  Comptroller  General  of  the  United  States.  The  center 
reports  provided  the  basis  for  the  Secretary  of  Defense's 
December  1983  statement  to  the  President  and  to  the  Congress  on 
the  adequacy  of  DOD's  internal  controls  and  the  extent  to  which 
its  accounting  systems  conform  to  the  required  principles  and 
standards . 

The  DOD  Inspector  General  made  independent  assessments  of 
Defense  agencies'  internal  controls  and  accounting  compliance 
evaluation  processes  and  reporting.  At  the  suggestion  of  the 
Deputy  Secretary  of  Defense,  the  Auditor  Generals  of  the  mili¬ 
tary  departments  made  assessments  for  their  respective 
departments.  The  Inspector  General  reported  these  results  to 
each  Defense  agency  and  the  combined  assessment  results,  includ¬ 
ing  those  of  the  Auditor  Generals,  to  the  Secretary  of  Defense. 

The  Inspector  General  recommended  that  the  Secretary  of 
Defense's  December  1983  statement  be  qualified  to  acknowledge 
that  the  internal  control  process  was  not  complete  and  consist¬ 
ent  within  the  department.  The  Inspector  General  stated  in  the 
report  that  DOD  had  taken  reasonable  and  prudent  action  to 
implement  the  accounting  systems  reporting  provisions  of  the  act 
and  had  established  a  reasonable  reporting  base  for  the  initial 
report. 

INTERNAL  CONTROLS  PROCESS 

In  accordance  with  the  act,  OMB  has  established  guidelines 
for  agencies'  evaluations  of  their  systems  of  internal  account¬ 
ing  and  administrative  control.  These  guidelines  provide  a 
basic  approach  to  evaluating,  improving,  and  reporting  on  inter¬ 
nal  controls.  OMB  recommends  the  following  process  as  an 
efficient,  effective  way  to  perform  the  required  evaluations: 

— Organize  the  internal  control  evaluation  process. 

--Segment  the  agency  to  create  an  inventory  of  assessable 
units. 

— Conduct  vulnerability  assessments  to  determine  the  risk 
of  waste,  loss,  unauthorized  use,  or  misappropriation. 

--Review  internal  controls. 
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— Take  corrective  actions. 

— Report  on  the  adequacy  of  internal  controls  and  plans 
for  corrective  action. 

We  observed  several  problems  which  have  affected  the 
implementation  of  fully  satisfactory  programs  DOD-wide.  The 
problems  largely  stemmed  from  different  guidance  provided  at 
various  times.  OMB  issued  Circular  A-123  in  October  1981, 
establishing  a  governmentwide  internal  controls  program.  The 
circular,  which  was  the  predecessor  of  the  act,  was  implemented 
by  DOD  in  March  1982.  The  act  was  subsequently  approved  in 
September  1982,  and  OMB's  guidelines  were  issued  in  December 
1982.  Consequently,  much  of  DOD's  work  took  place  earlier  in 
1982  before  the  act  was  passed  and  OMB  guidelines,  required  by 
the  act,  were  available. 

The  following  problems  were  identified  as  a  result  of  our 
reviews  this  year.  Many  of  these  have  DOD-wide  implications; 
some  are  unique  to  specific  reporting  centers. 

— Early  DOD  guidance  for  making  vulnerability  assessments 
included  about  half  the  evaluation  factors  subsequently 
prescribed  by  OMB.  DOD  did  not  include  such  factors  as 
budgeting  and  reporting  practices,  ADP  considerations, 
degree  of  centralization,  and  program  age  and  life 
expectancy.  We  believe  that  evaluation  of  all  factors 
affecting  a  program  improves  the  accuracy  of  vulnerabil¬ 
ity  assessments  and,  thus,  improves  the  overall  internal 
control  process. 

— Persons  involved  in  the  internal  control  process  at  the 
five  centers  reviewed  need  additional  and/or  better 
training.  For  example,  the  Army's  early  training  was 
limited  mainly  to  orientation  sessions  for  persons 
involved  in  the  internal  controls  evaluation  process. 
Subsequent  training  did  not  provide  practical  instruction 
to  line  managers  on  how  to  perform  the  actual 
evaluations.  We  recognize  that  tight  time  constraints 
during  the  first  year  reduced  the  opportunities  for 
training  the  managers  involved  in  the  process.  We 
believe  that  training  is  an  excellent  means  of  dissem¬ 
inating  program  expectations  and  an  important  factor  in 
achieving  consistency  in  the  evaluation  process. 

— Some  reporting  centers  did  not  include  all  organizational 
and/or  functional  elements  in  dividing  their  centers  into 
assessable  units.  For  example,  the  Defense  Mapping 
Agency's  first-year  process  excluded  the  Hydrographic/ 
Typographic  Center's  field  offices,  motorpool,  book 


APPENDIX  I 


APPENDIX  I 


library,  silver  recovery  functions,  and  minicomputers. 

We  believe  that  all  programs,  functions,  and  activities 
should  be  considered  under  the  act. 

— Problems  were  encountered  with  vulnerability  assessments. 
Generally,  the  vulnerability  assessments  were  inade¬ 
quately  and/or  inconsistently  performed  within  the 
centers.  In  one  case,  the  Defense  Logistics  Agency  did 
not  provide  specific  guidance  to  field  activities  for 
completing  vulnerability  assessments.  This  resulted  in 
inconsistencies  ranging  from  one  activity  not  performing 
vulnerability  assessments  at  all  to  another  activity  per¬ 
forming  and  documenting  its  assessments.  We  believe 
adequate  and  consistent  assessments  are  important  because 
they  provide  the  basis  for  managers  to  determine  which 
programs  and  activities  are  highly  susceptible  to  risks 
of  waste,  loss,  and  unauthorized  use  of  assets. 

— Generally,  reporting  centers  inadequately  and/or  incon¬ 
sistently  documented  vulnerability  assessments  and  inter¬ 
nal  control  reviews.  For  example,  the  Navy  required 
little  vulnerability  assessment  documentation  from  its 
components  and  some  that  was  required  was  not  submitted. 
This  resulted  in  inconsistent  documentation  among  Navy’s 
components  with  very  vague  descriptions  of  the  rationale 
supporting  the  assessments  assigned.  We  believe  that 
documentation  of  vulnerability  assessments  and  internal 
control  reviews  is  important  to  provide  managers  with  an 
understanding  of  how  the  vulnerabilities  were  determined, 
the  internal  controls  were  evaluated,  and  the  actions 
proposed  were  considered. 

— All  centers  reviewed  had  problems  concerning  ADP  general 
and  application  controls^  in  their  evaluations.  For 
example,  the  Air  Force’s  internal  control  reviews  gener¬ 
ally  did  not  consider  ADP  controls  in  heavily  automated 
functions  and  some  Army-wide  automated  systems  were  not 
comprehensively  reviewed  during  their  first-year 
evaluations.  Because  ADP  is  an  integral  part  of  manage¬ 
ment  and  accounting  systems,  we  believe  that  it  is  imper¬ 
ative  to  consider  ADP  general  and  application  controls  as 
part  of  the  internal  control  evaluation  process. 


^General  controls  apply  to  the  overall  management  of  the  ADP 
function  and  affect  most  ADP  hardware  and  applicatD  n 
software  systems.  Application  controls  are  unique  to  .  ach 
software  application  system  and  are  intended  to  as.-;  .1  the 
quality  of  data  origination,  input,  processing,  and  output. 
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— The  Army  and  Air  Force  Exchange  Service  is  a  joint 
command,  with  management  responsibility  alternating 
between  the  Departments  of  the  Army  and  the  Air  Force. 

The  Army  and  Air  Force  Exchange  Service,  based  on  its 
General  Counsel's  opinion,  decided  that  it  was  not 
subject  to  the  act's  requirements  to  report  on  its 
internal  controls.  Consequently,  the  Exchange  Service 
used  its  own  process  for  evaluating  internal  controls  and 
reported  only  to  its  Board  of  Directors.  The  Exchange 
Service's  evaluation  process,  however,  did  not  meet  the 
requirements  of  OMB  or  Air  Force  guidelines.  The  Air 
Force  did  not  consider  the  Exchange  Service  to  be 
included  under  the  act  because  it  is  a  nonappropriated 
fund  activity.  The  Navy,  however,  included  its  exchange 
system  in  its  internal  control  program.  The  Army  and  Air 
Force  Exchange  Service's  large  volume  of  sales  ($4.3 
billion  in  fiscal  year  1982),  and  its  recent  history  of 
weak  internal  controls  make  it  vulnerable  to  loss,  waste, 
unauthorized  use,  or  misappropriation  of  assets.  For 
example,  since  1977,  there  have  been  66  convictions  for 
offenses  such  as  bribery,  accepting  gratuities,  and  tax 
evasion  in  Exchange  Service-related  prosecutions.  We 
believe  that  as  a  matter  of  good  management  policy  the 
Exchange  Service  should  be  directed  to  comply  with 
provisions  of  the  act. 

— The  Navy,  after  completing  reviews  of  the  Navy-wide 
highly  vulnerable  programs,  encouraged — but  did  not 
require — its  components  and  activities  to  review  those 
programs  they  considered  highly  vulnerable  but  which  were 
not  ranked  highly  vulnerable  Navy-wide.  For  example,  the 
Headquarters  of  the  Commander- in-Chief  of  the  Pacific 
Fleet  ranked  administrative  support  as  its  most  highly 
vulnerable  area  in  June  1982.  As  of  October  15,  1983,  it 
had  not  performed  internal  control  reviews  in  this  area. 
The  three  areas  it  had  reviewed  were  financial,  supply, 
and  transportation,  each  ranked  low  by  the  component  but 
high  Navy-wide.  We  believe  reviews  should  be  required  in 
the  local  high  vulnerability  program  areas  because  man¬ 
agement  attitude,  organizational  structure,  personnel, 
organizational  checks  and  balances,  and  safeguards  are 
all  local  factors  which  heavily  influence  the  vulnerabil¬ 
ity  of  a  program  area. 

— The  Air  Force  report  to  the  Secretary  of  Defense,  while 
generally  outlining  areas  of  concern,  does  not  specifi¬ 
cally  address  the  problems  or  material  weaknesses.  For 
example,  foreign  military  sales  financial  management  is 
listed  as  a  "material  weakness,"  but  the  Air  Force  report 
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does  not  identify  what  the  specific  problems  are, 
implying  that  the  entire  subject  area  is  materially 
weak.  Unless  specific  problems  and,  if  known,  the 
associated  internal  control  weaknesses  are  identified, 
neither  the  Air  Force,  the  Office  of  the  Secretary  of 
Defense,  nor  the  Congress  can  effectively  measure  the 
successful  resolution  of  the  problems. 

In  discussing  these  problems  with  Defense  officials,  we 
found  that  action  is  planned  or  underway  that  should  signifi¬ 
cantly  improve  the  implementation  process.  A  revision  to  the 
internal  control  directive  (DOD  Directive  7040.6)  has  been 
drafted  by  DOD  officials.  This  directive  will  require  all 
reporting  centers  to  base  their  annual  reports  to  the  Secretary 
of  Defense  on  evaluations  made  in  accordance  with  OMB  guidelines 
and  will  specify  that  documentation  serves  as  a  reference  for 
managers  reviewing  management  controls.  DOD  officials  recognize 
the  need  for  agencywide  consistency  in  implementing  the  act  and 
are  considering  use  of  a  contractor-developed  course  for  train¬ 
ing  lower  level  managers.  Each  of  the  reporting  centers  will  be 
expected  to  provide  training  for  middle  and  upper  level 
managers . 

In  addition,  DOD  officials  also  recognize  a  problem  with 
the  inconsistency  in  holding  managers  responsible  for  internal 
controls  through  performance  appraisals.  They  are  presently 
working  with  OMB  to  define  what  would  be  appropriate  in  this 
regard . 

ACCOUNTING  SYSTEMS  COMPLIANCE 

DOD  initiated  a  limited  effort  to  report  on  accounting  sys¬ 
tems  compliance  with  the  Comptroller  General's  accounting  prin¬ 
ciples  and  standards.  We  round  that  the  military  departments 
and  the  Defense  Logistics  Agency  made  determinations  on 
j  compliance,  based  on  the  experience,  knowledge,  and  observations 

of  accounting  officials  rather  than  on  evaluations  specifically 
designed  to  assess  how  well  systems  operated.  According  to  a 
DOD  official,  DOD  took  this  approach  because  of  time  constraints 
and  the  fact  that  the  accounting  officials  who  made  the  determi¬ 
nations  had  firsthand  knowledge  of  the  systems.  The  Defense 
Mapping  Agency  based  its  report  on  the  determinations  made  by 
the  Air  Force  because  it  uses  the  Air  Force's  accounting  systems 
software. 

In  this  regard,  we  noted  that  the  Defense  Mapping  Agency 
drafted  new  internal  control  guidance  to  incorporate  the  identi¬ 
fication  and  evaluation  of  the  manual  processing  functions 
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supporting  their  automated  accounting  systems.  This  guidance 
requires  responsible  managers  to  certify  that  the  software  has 
not  been  altered  by  their  operators.  If  the  software  has  been 
altered,  they  must  submit  a  statement  on  the  results  of  testing 
the  accounting  system  changes  for  conformance  with  the 
Comptroller  General's  accounting  principles  and  standards. 

For  future  years,  we  believe  additional  work  is  necessary 
to  form  a  better  basis  for  concluding  whether  accounting  systems 
are  in  conformance  with  the  Comptroller  General's  accounting 
principles  and  standards.  DOD  officials  recognize  that  more 
guidance  and  oversight  is  necessary.  For  this  purpose,  addi¬ 
tional  DOD  guidance  will  include  assigning  responsibilities  for 
documenting  accounting  system  designs,  testing  systems  in 
operation,  and  tracking  reported  accounting  system  problems. 

THE  SECRETARY  OF 
DEFENSE'S  ANNUAL  STATEMENT 

DOD  reported  broad  areas  in  which  internal  control  weak¬ 
nesses  had  been  corrected  or  corrective  actions  were  required. 

In  addition,  accounting  system  deficiencies  were  reported.  The 
areas  of  internal  control  weakness  were: 


— Cash  Management 
— Cash/Debt  Management 
— Financial  Management 
— Foreign  Military  Sales 


— Information  Systems  Management 
— Procurement 
— Property  Management 
— Security 


Appendix  II  provides  additional  information  on  these  areas. 


DOD  stated  that  corrective  actions  had  been  taken  on  some 
weaknesses.  For  example,  it  reported  that  actions  were  taken  to 
ensure  compliance  with  existing  regulations  that  would  correct 
identified  weaknesses  in  conducting  inventories;  reporting 
missing,  lost,  or  stolen  property;  and  reconciling  physical 
inventories  to  records.  In  another  example,  DOD  reported  that 
linking  Army  disbursing  stations  with  the  Security  Assistance 
Accounting  Center's  centralized  accounting  system  improved  con¬ 
trols  over  monies  disbursed  from  the  Foreign  Military  Sales 
Trust  Fund. 


DOD  reported  other  weaknesses  in  areas  still  needing 
improvement  which  included  procurement,  cash/debt  management, 
and  security.  DOD  also  reported  that  in  addition  to  establish¬ 
ing  corrective  action  plans  and  schedules  for  each  of  the  areas, 
it  also  plans  to  control  and  track  these  weaknesses  until  cor¬ 
rective  actions  are  completed. 
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The  section  of  the  DOD  report  covering  compliance  with  the 
Comptroller  General’s  accounting  principles  and  standards 
included  major  areas  of  deficiencies,  a  listing  of  154  account¬ 
ing  systems  or  system  segments  in  broad  compliance/noncompliance 
categories,  and  milestone  dates  for  bringing  98  noncomplying 
systems  or  system  segments  into  compliance.  The  remaining  56 
accounting  systems  or  system  segments  were  deemed  to  be  in 
compliance . 

One  or  more  of  the  reported  major  areas  of  deficiencies 
resulted  in  the  98  systems  or  system  segments  not  complying  with 
the  Comptroller  General's  principles  and  standards.  These  areas 
include:  general  ledger  control  and  reporting,  property 

accounting,  cost  accounting,  accrual  accounting,  military  pay 
entitlements,  in-transit  property  accountability,  timeliness, 
systems  documentation,  and  interfaces  between  accounting  system 
segments. 

TRACKING  AND  FOLLOW-UP  SYSTEMS 

The  Financial  Integrity  Act  has  two  important  purposes: 

(1)  to  promote  effective  internal  accounting  and  administrative 
controls  and  (2)  to  conform  agency  accounting  systems  to  the 
principles,  standards,  and  related  requirements  prescribed  by 
the  Comptroller  General.  The  identification  of  internal  control 
weaknesses  and  accounting  system  conform ance  problems  is  essen¬ 
tial  to  the  achievement  of  these  purposes.  The  identification, 
however,  is  only  the  beginning — we  believe  corrective  action  is 
the  heart  of  the  program. 

DOD's  draft  revision  to  Directive  7040.6  requires  reporting 
centers  to  establish  a  formal  follow-up  system  to  record  and 
track  (1)  deficiencies  disclosed  by  any  source,  (2)  scheduled 
corrective  actions,  and  (3)  established  completion  dates  for 
these  corrective  actions. 

The  reporting  centers  we  visited  have  developed  or  are  in 
the  process  of  developing  such  systems.  The  Defense  Mapping 
Agency  has  a  system  in  place;  the  Departments  of  the  Army,  Navy, 
and  Air  Force  are  developing  systems.  The  Defense  Logistics 
Agency  has  assigned  this  responsibility  to  its  components,  but 
plans  to  incorporate  such  a  system  into  its  audit  follow-up  sys¬ 
tem  in  1984. 

According  to  an  official  of  the  Office  of  the  Assistant 
Secretary  of  Defense  (Comptroller),  DOD  does  not  plan  to  estab¬ 
lish  a  separate,  DOD-wide  follow-up  system  for  Financial 
Integrity  Act  purposes.  Instead,  as  the  Department's  draft 
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revision  to  Directive  7040.6  states,  reporting  centers  are  given 
the  responsibility  to  establish  individual  follow-up  systems. 

The  official  pointed  out  that  this  requirement  is  consistent 
with  DOD's  decentralized  approach  to  management.  It  was  further 
pointed  out  that  the  centers  were  encouraged,  but  not  required, 
to  incorporate  the  Financial  Integrity  Act  follow-up  system  into 
existing  audit  report  follow-up  systems. 

We  believe  the  internal  reporting  process  used  to  prepare 
the  Secretary's  annual  statement  lends  itself  to  an  effective 
follow-up  system.  Throughout  the  large,  complex  military 
organization,  each  level  receives  reports  from  subordinate 
levels,  consolidates  them,  and  reports  internal  control  and 
accounting  system  compliance  problems  to  the  next  higher  level. 
In  this  way,  the  Secretary's  statement  is  prepared.  This  pro¬ 
cess  results  in  each  higher  level  having  a  list  of  the  problems 
reported  at  the  immediate  subordinate  level.  This  system  gives 
the  necessary  information  and  could  be  used  in  reverse  for 
follow  up  to  ensure  that  actions  are  taken. 

We  believe  it  is  essential  that  DOD  establish  an  effective 
system  to  (1)  track  identified  internal  control  and  accounting 
system  problems  and  (2)  follow  up  to  see  that  corrective  actions 
are  taken.  We  strongly  encourage  continuation  of  DOD's  effort 
to  have  reporting  centers  develop  follow-up  systems.  Because  of 
this  effort,  we  are  not  making  a  recommendation  at  this  time. 

We  plan,  however,  to  closely  monitor  progress  in  this  area  as  we 
continue  our  work  in  1984. 

OBJECTIVES,  SCOPE,  AND  METHODOLOGY 

The  overall  objective  of  our  review  was  to  evaluate  DOD's 
implementation  of  the  Financial  Integrity  Act.  Because  our 
first-year  review  was  limited  to  an  evaluation  of  the  implemen¬ 
tation  process,  we  did  not  attempt  to  independently  determine 
the  status  of  DOD's  internal  control  systems  or  the  extent  to 
which  DOD's  accounting  systems  comply  with  the  Comptroller 
General's  principles  and  standards.  To  accomplish  our 
objective,  we  reviewed  relevant  DOD  directives  and 
correspondence,  and  interviewed  appropriate  officials  in  the 
offices  of  the  Assistant  Secretary  of  Defense  (Comptroller)  and 
the  Inspector  General.  We  also  did  work  at  5  of  DOD's  24 
internal  control  reporting  centers. 

— Department  of  the  Army. 

— Department  of  the  Navy. 
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— Department  of  the  Air  Force. 

— The  Defense  Logistics  Agency. 

— The  Defense  Mapping  Agency. 

These  centers  were  selected  because  they  provide  broad  coverage 
of  operating  and  support  activities  in  the  Department.  Details 
on  the  activities  visited  and  the  specific  work  done  are  con¬ 
tained  in  our  reports  to  center  heads.  Our  reviews  were  con¬ 
ducted  between  July  1983  and  March  1984. 

Because  the  act  requires  executive  agencies  to  use  OMB 
guidelines  to  evaluate  systems  of  internal  accounting  and  admin 
istrative  control,  we  also  used  them  to  evaluate  DOD's  efforts. 
We  recognize  that  a  large  part  of  these  efforts  were  completed 
or  underway  when  OMB  issued  its  guidelines. 

Our  review  was  conducted  in  accordance  with  generally 
accepted  government  auditing  standards. 
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POD'S  AREAS  OF  WEAKNESS  REPORTED 


WHERE  CORRECTIVE  ACTIONS  HAVE  BEEN  TAKEN 


Area 


Property  Management 


Financial  Management 


Cash  Management 


Foreign  Military  Sales 


Information  Systems 
Management 


Reported  Corrective  Action 

"Property  managers  and  auditors 
identified  some  practices  which 
deviated  from  existing  policy  and 
regulations.  Actions  taken  to  cor¬ 
rect  these  deficiencies  resulted  in 
improved  controls  to  identify  pre¬ 
cious  metals;  reduced  potential  for 
the  loss  of  weapons,  ammunition,  and 
narcotics;  and  increased  accuracy  of 
inventory  records  over  plant 
property,  small  tools,  and  ground 
support  equipment." 

"Financial  managers  effected  savings 
in  transportation  costs  by  refining 
a  number  of  procedures  for  estab¬ 
lishing  delivery  dates  for  shipments 
of  material;  in  retirement  costs  by 
identifying  unreported  deceased 
retirees  and  beneficiaries;  and  in 
civil  service  retirement  accounts  by 
improving  the  accuracy  of  reports  to 
the  Office  of  Personnel  Management." 

"Cash  management  personnel  reduced 
to  minimum  levels  the  balances  at 
finance  offices  and  modified  deposit 
procedures  to  expedite  the  flow  of 
funds  to  the  U.S.  Treasury." 

"Foreign  Military  Sales  (FMS)  man¬ 
agers  in  one  DOD  component  estab¬ 
lished  a  system  to  improve  control 
over  trust  fund  disbursements." 

"Managers  of  information  systems 
documented  security  requirements, 
established  new  emergency 
procedures,  and  arrived  at  less 
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expensive  alternatives  to 
contingency  plans  for  providing 
continuity  of  the  data  processing 
operation . " 


REQUIRING  CORRECTIVE  ACTIONS 

Area  Required  Corrective  Action 

Foreign  Military  Sales  "There  is  a  need  for  improved  man¬ 

agement  to  assure  that  all  sales  are 
made  in  accordance  with  the  provi¬ 
sions  of  the  Arms  Export  Control  Act 
and  that  there  is  adequate  control 
over  and  accounting  for  U.S. 
resources  and  customer  funds." 


Procurement  "Procurement  managers  must  increase 

competition;  expand  sources  of 
supply;  improve  methods  for  spare 
parts  procurement;  reduce  cost 
growth  in  weapon  systems;  and 
address  changes,  more  effectively, 
in  small  computer  technology." 

Property  Management  "The  administrative  and  accounting 

controls  over  property  need  to  be 
strengthened.  Lack  of  these  con¬ 
trols  has  adversely  impacted  the 
management  of  all  property  whether 
held  by  DOD  or  furnished  to 
contractors.  DOD  has  issued  prop¬ 
erty  accounting  standards.  When 
properly  implemented,  these  stand¬ 
ards  will  establish  financial  con¬ 
trol  over  these  assets." 

Cash/Debt  Management  "Financial  managers  must  improve 

controls  to  assure  that  payments  are 
made  more  timely  (not  early  or 
late),  erroneous  payments  are 
avoided,  receivables  are  promptly 
recorded  and  collected,  receipts  are 
deposited  in  a  timely  manner,  and 
cash  held  outside  the  Treasury  is 
minimal . " 
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Security  "Security  managers  need  to  complete 

the  evaluation  of  the  overall  secu¬ 
rity  management  process,  as  well  as 
particular  areas  of  policy  and  pro¬ 
cedures  in  order  to  put  in  place 
effective  ways  for  organizing  the 
program  and  controlling  access  to 
resources  (e.g.,  cash,  tangible 
property,  technology,  computers/ 
automation  equipment,  and  data)." 
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GAO  REPORTS  ON  POD'S  FIRST-YEAR  IMPLEMENTATION 
OF  THE  FEDERAL  MANAGERS'  FINANCIAL  INTEGRITY  ACT 


Title 


Department  of  the  Army's 
First-Year  Implementation 
of  the  Federal  Managers' 
Financial  Integrity  Act 

Department  of  the  Navy's 
First-Year  Implementation 
of  the  Federal  Managers' 
Financial  Irgetrity  Act 

Department  of  the  Air  Force's 
First-Year  Implementation 
of  the  Federal  Managers' 
Financial  Integrity  Act 

Defense  Logistics  Agency's 
First-Year  Implementation 
of  the  Federal  Managers' 
Financial  Integrity  Act 

Defense  Mapping  Agency's 
First-Year  Implementation 
of  the  Federal  Managers' 
Financial  integrity  Act 


Date 


Report 

number 


May  1,  1984 


May  1,  1984 


May  1,  1984 


May  1,  1984 


May  1,  1984 


GAO/NSIAD-84-92 


GAO/NS I AD-8 4- 94 


GAO/NSIAD-84-93 


GAO/NS I AD- 84-99 


GAO/NS I AD-84- 1 01 
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ASSISTANT  SECRETARY  OF  DEFENSE 

WASHINGTON,  D  C  20301 


COMPTROLLER 

27  MAR  1984 

Mr.  Frank  C.  Conahan 
Director,  National  Security 
and  International  Affairs 
Division 

General  Accounting  Office 
441  G  Street,  NW,  Room  4804 
Washington,  D.C.  20548 

Dear  Mr.  Conahan: 

This  is  the  Department  of  Defense  (DoD)  response  to  the 
General  Accounting  Office  (GAO)  Draft  Report,  "The  Department  of 
Defense's  First  Year  Implementation  of  the  Federal  Managers' 
Financial  Integrity  Act  (OSD),"  dated  March  12,  1984  (GAO  Code  No. 
390003),  OSD  Case  No.  6465. 

DoD  has  made  steady  progress  and  has  dedicated  significant 
resources  to  implementing  the  Financial  Integrity  Act  since  its 
enactment  in  September  1982.  The  Department  expects  to  show 
continued  progress  and  improvement  in  1984.  The  GAO  reviews  have 
provided  DoD  with  the  opportunity  to  assess  its  progress  to  date 
and  to  focus  attention  on  those  activities  where  emphasis  is 
needed  to  further  institutionalize  the  program.  It  is  also 
appreciated  that  your  staff  recognized  that  the  DoD  has 
implemented  several  initiatives  which  will  resolve  the  concerns 
noted  in  the  Draft  Report. 

DoD  is  presently  in  the  process  of  reissuing  DoD  Directive 
7040.6  on  this  program  and  anticipates  publication  by 
April  30,  1984.  The  Directive  has  been  revised  to  better  define 
an  assessable  unit,  require  the  establishment  of  quality  control 
programs,  require  management  control  responsibilities  to  be 
included  in  military  and  civilian  position  descriptions,  and 
include  nonappropr iated  fund  instrumentalities,  e.g.,  the  Army  and 
Air  Force  Exchange  Service  ( AAFES) ,  in  the  management  control 
program  as  a  matter  of  DoD  policy.  The  DoD  Directive  will 
provide  uniform  policy  and  procedures  for  improved  management 
control  of  resources  within  DoD. 

The  Secretary  reported  in  his  Integrity  Act  Annual  Statement 
to  the  President  and  the  Congress  that  one  major  difficulty 
encountered  during  the  first  year  of  the  program  was  the  lack  of  a 
standardized  training  program.  Several  of  the  GAO  concerns,  e.g., 
the  uneven  quality,  inconsistency,  and  inadequacy  in  performing 
vulnerability  assessments  and  management  control  reviews,  also 
addressed  this  need.  At  the  present  time,  a  contractor  is 
developing  a  DoD  handbook  for  performing  vulnerability  assessments 
and  management  control  reviews  which  will  describe  wh3t  steps  are 
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to  be  followed,  why  the  step  is  important,  and  how  to  do  each 
step.  This  handbook  should  provide  a  baseline  for  measuring 
quality  and  consistency  among  the  Components  and  for  developing  a 
quality  control  program.  The  handbook  is  expected  to  be  available 
in  July/August  1984. 

The  DoD  Accounting  Manual  is  also  being  revised  to  provide 
additional  guidance  on  the  maintenance  of  documentation,  and  the 
testing  and  approval  of  accounting  systems.  This  new  guidance, 
coupled  with  the  resources  we  are  applying  to  monitor  DoD 
Component  accounting  systems,  should  contribute  to  continued 
progress  in  our  efforts  to  bring  all  DoD  accounting  systems  into 
full  compliance  with  Comptroller  General  accounting  principles, 
standards  and  related  requirements. 

DoD  comments  on  each  of  the  GAO  findings  and  recommendation 
are  in  the  Enclosure.  Thank  you  for  providing  DoD  with  an 
opportunity  to  comment  on  this  Draft  Report. 

Sincerely, 


Pri 

(Comptroller) 

Enclosure 
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DoD  Comments 
on 

GAO  Draft  Report,  "The  Department  of  Defense’s  First  Year 
Implementation  of  the  Federal  Managers'  Financial  Integrity  Act 
(OSD),"  dated  March  12,  1984  (GAO  Code  No.  390003),  OSD  Case  No. 
6465 


GAO  FINDING  A 

Early  department-wide  guidance  for  making  vulnerability 
assessments  includes  about  half  the  factors  subsequently 
prescribed  by  the  Office  of  Management  and  Budget  (OMB).  (p.  2, 
Draft  Report)  (See  app.I,  p.  4,  this  report.) 

DoD  COMMENT 

Concur.  The  initial  DoD  guidance  complied  with  the  substance 
of  the  original  OMB  requirements.  In  DoD,  vulnerability 
assessments  were  required  to  be  completed  by  July  31,  1982,  which 
was  almost  six  months  before  the  OMB  Guidelines  were  available.  A 
revised  DoD  Directive  7040.6  and  a  comprehensive  DoD  training 
program  will  incorporate  the  mandatory  OMB  Guidelines  requirements 
for  making  a  vulnerability  assessment.  The  Directive  should  be 
available  in  April  and  the  training  program  in  July  or  August 
1984. 

GAO  FINDING  B 

Persons  involved  in  the  internal  control  process  at  the  five 
centers  reviewed  need  additional  and/or  better  training.  (p.  3, 
Draft  Report)  (See  app.  I,  p.  4,  this  report.) 

DoD  COMMENT 

Concur.  Most  DoD  Components  did  provide  and  are  continuing 
to  provide  interim  training  to  their  staffs.  As  previously 
mentioned,  additional  and  better  training  is  being  developed.  It 
will  include  a  comprehensive  "how-to-do"  package. 

GAO  FINDING  C 

Some  reporting  centers  did  not  include  all  elements  when 
dividing  into  assessable  units.  (p.  3,  Draft  Report)  (See  app.  I,  p.  4, 
this  report.) 

DoD  COMMENT 

Concur.  DoD  is  reissuing  the  Directive  on  this  program.  It 
will  include  a  requirement  for  each  DoD  organization  head  to 
establish  an  inventory  of  assessable  units  by  segmenting  each 
activity  into  its  organizational  units  and  identifying  within  each 
organizational  unit  all  the  functions  it  performs. 

NOTE:  Page  numbers  have  been  added  to  correspond  to  this  report. 
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GAO  FINDING  D 


Problems  were  encountered  with  vulnerability  assessments. 
Generally,  the  vulnerability  assessments  were  either  inadequately 
performed  or  done  inconsistently  within  the  centers.  (p.  3,  Draft 
Report)  (See  app.  I,  p.  5,  this  report.) 

POP  COMMENT 

Concur.  The  revised  DoD  Directive  and  training  program,  as 
well  as  the  current  emphasis  placed  on  performing  vulnerability 
assessments  by  individual  DoD  Components,  should  minimize  any 
future  problems. 

GAO  FINDING  E 

Generally,  documentation  of  vulnerability  assessments  and 
internal  control  reviews  was  inadequate  and  inconsistent.  (p.  3, 
Draft  Report)  (See  app.  I,  p.  5,  this  report.) 

DoD  COMMENT 


Concur.  The  DoD  initiatives  outlined  in  response  to  Finding 
A  will  specify  documentation  requirements,  and  will  provide  a 
baseline  for  measuring  consistency  among  the  DoD  Components. 

GAO  FINDING  F 


All  centers  reviewed  had  problems  concerning  automated  data 
processing  (ADP)  general  and  application  controls  in  their 
evaluations.  (p.  3,  Draft  Report)  (See  app.  I,  p.  5,  this  report.) 

DoD  COMMENT 

Concur.  DoD  will  form  a  working  group  to  develop  a  guideline 
document  on  how  ADP  management  control  reviews  should  be 
accomplished.  The  working  group  will  address  both  ADP  application 
and  general  controls  and  develop  a  process  to  coordinate  the 
evaluation  of  standard  (multi-site)  systems.  The  working  group 
should  be  established  by  May  31,  1984. 

GAO  FINDING  G 


The  Navy  encouraged,  but  did  not  require,  its  components  and 
activities  to  review  those  programs  they  considered  highly 
vulnerable,  but  which  were  not  ranked  highly  vulnerable  Navy-wide. 
( P *  4*  Draft  Report)  (See  app.  I,  p.  6,  this  report.) 

DoD  COMMENT 


Concur.  The  Secretary  of  the  Navy  (SECNAV)  will  revise  his 
guidance  by  May  1984,  to  require  Department  of  Navy  activities  to 
review  highly  vulnerable  areas  at  the  local  level.  This 
requirement  will  also  be  incorporated  into  a  revision  of  SECNAV 
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Instruction  5200.35,  which  will  be  promulgated  after  the 
April  30,  1984,  issuance  of  the  DoD  Directive. 

GAO  FINDING  H 


The  Air  Force  report  to  the  Secretary  of  Defense,  while 
generally  outlining  areas  of  concern,  does  not  specifically 
address  the  problems  or  the  material  weaknesses.  (p.  4,  Draft 
Report)  (See  app.  I,  p.  6,  this  report.) 

DoD  COMMENT 


Concur.  On  March  14,  1984,  the  Acting  Assistant  Secretary  o 
the  Air  Force  (Financial  Management)  directed  that  the  Fiscal  Year 
1984  annual  statement  not  only  identify  material  weaknesses  but 
also  explain  the  problems  associated  with  such  weaknesses  and  the 
planned  corrective  actions.  DoD  will  also  provide  more  definite 
guidance  and  instructions  to  Components  at  the  appropriate  time 
regarding  the  submission  of  their  annual  statements  for  Fiscal 
Year  1984. 

GAO  RECOMMENDATION 

In  regard  to  the  Army  and  Air  Force  Exchange  Service  (AAFES ) 
it  is  appropriate  and  desirable  for  the  Secretary  of  Defense  to 
require  this  activity  to  follow  the  provisions  of  the  Financial 
Integrity  Act  regardless  of  whether  legally  required.  Therefore, 
we  recommend  that,  as  a  matter  of  policy,  you  (1)  direct  AAFES  to 
follow  the  provisions  of  the  Act,  and  (2)  assign  permanent 
responsibility  for  the  Exchange  Service's  internal  control 
evaluation  process  to  either  the  Secretary  of  the  Army  or  the 
Secretary  of  the  Air  Force.  This  responsibility  should  include 
implementing  the  Act,  reporting  internal  control  weaknesses,  and 
following  up  on  corrective  actions.  (p.  5,  Draft  Report)  (See  app. 
p .  6 ,  this  report . ) 

DoD  COMMENT 


Concur.  DoD  will  take  the  following  implementing  actions: 

a.  DoD  Directive  7040.6,  implementing  the  Federal  Managers' 
Financial  Integrity  Act  will  include  nonappropr i ated  fund 
instrumentalities  as  a  matter  of  policy.  It  is  anticipated  that 
this  revised  Directive  will  become  effective  April  30,  1984. 

b.  The  responsibility  for  AAFES  will  remain  with  the  Air 
Force  until  August  1985  for  purposes  of  consistency  of  reporting. 
On  March  21,  1984,  the  Assistant  Secretary  of  Defense  (MI&L) 
requested  the  Secretaries  of  the  Army  and  Air  Force  to  make  a 
permanent  assignment  of  responsibility  for  the  purpose  of 
fulfilling  the  requirements  of  the  Directive. 


GLOSSARY 


The  following  definitions  were  developed  by  GAO  for  our 
review  of  the  implementation  of  the  Federal  Managers'  Financial 
Integrity  Act. 

Accounting  System 

The  total  structure  of  the  methods  and  procedures  used  to 
record,  classify,  and  report  information  on  the  financial 
position  and  operations  of  a  governmental  unit  or  any  of 
its  funds,  or  organizational  components.  An  accounting 
system  should  assist  in  the  financial  management  functions 
of  budget  formulation  and  execution,  proprietary  accounting 
and  financial  reporting. 

Administrative  Function 


An  activity  in  an  agency  which  is  carried  out  to  support 
the  accomplishment  of  an  agency's  programs,  missions,  or 
objectives.  These  activities  may  include  ADP,  travel,  or 
consulting  services.  However,  there  is  no  uniform  defini¬ 
tion  of  administrative  functions;  each  agency's  may  be 
unique. 

ADP  Application  Controls 

Controls  that  are  unique  to  each  software  application 
system.  Application  controls  are  intended  to  assure  the 
quality  of  data  origination,  input,  processing,  and  output. 

ADP  General  Controls 


Controls  that  apply  to  the  overall  management  of  the  ADP 
function  in  an  agency.  General  ADP  controls  have  a  direct 
effect  on  the  quality  of  service  rendered  to  ADP  users  and 
cover  the  processing  of  all  ADP  application  systems.  These 
controls  affect  most  ADP  hardware  and  application  software 
systems,  and  include 

— organizational  controls  for  the  ADP  unit; 

— system  design,  development,  and  modification 
controls; 

— data  center  management  controls; 

— data  center  security  controls; 

— system  software  controls;  and 
— hardware  controls. 

These  controls  should  be  evaluated  by  ADP  managers  as  part 
of  an  analysis  of  the  general  control  environment. 
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A  major  organization,  program,  or  functional  subdivision  of 
an  agency  having  one  or  more  separate  systems  of  internal 
control,  and  a  specific,  responsible  manager. 

Assessable  Unit 


A  program  or  administrative  function  or  subdivision 
thereof,  which  is  to  be  the  subject  of  a  vulnerability 
assessment.  An  agency  should  identify  its  assessable  units 
in  such  a  way  as  to  (1)  include  the  entire  agency  and  (2) 
facilitate  meaningful  vulnerability  assessments.  All 
agency  program  jr  administrative  functions  must  be 
assessed,  with  the  exception  of  those  involved  in  the  per¬ 
formance  of  policymaking  or  statutory  formulation. 

Audit  Resolution 

Begins  when  auditors  report  their  findings  to  management 
and  completed  only  after  management  takes  action. 

Management  must  either  correct  identified  deficiencies, 
produce  improvements,  or  demonstrate  that  findings  are 
invalid.  "Audit  Resolution"  is  one  of  the  Comptroller 
General's  Standards  for  Internal  Controls  in  the  Federal 
Government . 


Control  Objective 


A  desired  goal  or  condition  for  a  specific  event  cycle, 
system,  or  subsystem.  An  agency's  control  objectives 
should  be  developed  for  each  agency  activity  and  should 
address  the  three  objectives  in  the  Federal  Managers' 
Financial  Integrity  Act.  An  example  of  a  control  objective 
may  be  "Paychecks  should  be  issued  to  all,  and  only, 
entitled  persons."  "Control  Objectives"  are  one  of  the 
Comptroller  General's  Standards  for  Internal  Controls  in 
the  Federal  Government. 


Control  Technique 


Any  mechanism  relied  on  to  efficiently  and  effectively 
accomplish  a  control  objective.  These  mechanisms,  if  oper¬ 
ating  as  intended,  help  prevent  fraud,  waste,  abuse,  or 
mismanagement.  An  example  of  a  control  technique  might  be 
the  comparison  of  automated  personnel  and  payroll  master 
files  prior  to  computing  and  issuing  paychecks.  "Control 
Techniques"  are  one  of  the  Comptroller  General's  Standards 
for  Internal  Controls  in  the  Federal  Government. 
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Documentation 


That  information  which  would  allow  an  independent  reviewer 
to  reach  the  same  conclusions  as  the  original  reviewer 
regarding  an  agency's  internal  controls;  and  the  methods 
used,  personnel  involved,  and  conclusions  reached  in  con¬ 
ducting  its  internal  control  evaluation,  improvement,  and 
reporting  process.  This  information  should  be  current  and 
be  available  for  review.  "Documentation"  of  internal  con¬ 
trols  is  one  of  the  Comptroller  General's  Standards  for 
Internal  Controls  in  the  Federal  Government. 

Event  Cycle 

A  grouping  of  similar  activities.  An  entity’s  activities 
can  be  grouped  into  a  discrete  number  of  cycles.  These 
groupings  are  based  on  what  is  accomplished,  and  therefore 
facilitate  the  identification  of  cycle  objectives.  For 
example,  most  agencies  will  have  a  disbursement  cycle  which 
will  include  all  events  contributing  to  the  objective  of 
providing  reasonable  assurance  that  all  payments  are  legal, 
proper,  accurate,  and  timely. 

General  Control  Environment 


Those  environmental  factors  that  can  influence  the  effec¬ 
tiveness  of  internal  controls  over  program  and  administra¬ 
tive  functions.  An  evaluation  of  the  general  control  envi¬ 
ronment  is  the  first  step  in  the  vulnerability  assessment 
process  required  by  OMB 's  Guidelines. 

This  evaluation  may  be  performed  for  the  component  as  a 
whole,  or  individually  for  each  program  and  administrative 
function  within  the  component.  The  determining  factors 
would  be  the  size,  nature,  and  degree  of  centralization  of 
the  programs  and  functions  conducted  within  the  agency 
component. 

Inherent  Risk 


The  inherent  potential  for  waste,  loss,  unauthorized  use, 
or  misappropriation  due  to  the  nature  of  an  activity 
itself.  An  analysis  of  each  assessable  unit's  inherent 
risk  is  the  second  step  in  the  vulnerability  assessment 
process  required  by  OMB’s  Guidelines.  OMB's  Guidelines 
suggest  that  the  matters  to  be  considered  in  the  analysis 
should  include,  but  need  not  be  limited  to,  the  following: 
purpose  and  characteristics,  budget  level,  impact  outside 
the  agency,  age  and  life  expectancy,  degree  of 
centralization,  special  concerns,  prior  reviews,  and  man¬ 
agement  responsiveness. 


Internal  Controls 


The  plan  of  organization  and  all  coordinate  methods  and 
measures  adopted  by  an  agency  to  provide  reasonable  assur¬ 
ance  that  the  three  objectives  of  the  Federal  Managers' 
Financial  Integrity  Act  of  1982  are  achieved.  Internal 
controls  should  be  established  in  accordance  with  the 
Comptroller  General's  Internal  Control  Standards. 
Typically,  an  internal  control  represents  the  combination 
of  a  control  objective,  along  with  a  control  technique  (or 
set  of  techniques)  which  are  being  relied  on  to  achieve 
that  control  objective. 

Internal  Control  Review 


A  detailed  examination  of  a  system  of  internal  control  to 
determine  whether  adequate  control  measures  exist  and  are 
implemented  to  prevent  or  detect  the  occurrence  of  poten¬ 
tial  risks  in  a  cost  effective  manner.  OMB's  Guidelines 
recommend  six  steps  for  an  internal  control  review:  (1) 
identification  of  the  event  cycle,  (2)  analysis  of  the  gen¬ 
eral  control  environment,  (3)  documentation  of  the  event 
cycle,  (4)  evaluation  of  internal  controls  within  the 
cycle,  (5)  testing  of  the  internal  controls,  and  (6) 
reporting  the  results.  Internal  control  reviews  should 
normally  be  conducted  for  those  areas  rated  as  highly  vul¬ 
nerable  in  the  vulnerability  assessment  process,  where  cor¬ 
rective  action  is  not  readily  apparent.  An  agency  should 
allocate  resources  for  these  detailed  reviews  of  internal 
control  based  on  vulnerability;  those  most  vulnerable 
should  be  reviewed  first. 

Internal  Control  Standards 

In  1983,  the  Comptroller  General  issued  a  set  of  Standards 
For  Internal  Controls  In  The  Federal  Government.  The 
Federal  Managers'  Financial  Integrity  Act  of  1982  requires 
each  executive  agency  to  establish  internal  accounting  and 
administrative  controls  in  accordance  with  these 
standards.  There  are  five  general  standards,  six  specific 
standards,  and  one  audit  resolution  standard.  The  five 
general  standards  are:  (1)  reasonable  assurance,  (2)  sup¬ 
portive  attitude,  (3)  competent  personnel,  (4)  control 
objectives,  and  (5)  control  techniques.  The  six  specific 
standards  are:  (1)  documentation,  (2)  recording  of  trans¬ 
actions  and  events,  (3)  execution  of  transactions  and 
events,  (4)  separation  of  duties,  (5)  supervision,  and  (6) 
access  to  and  accountability  for  resources. 


OMB  Guidelines 


The  document  issued  by  the  Office  of  Management  and  Budget 
in  December  1982,  Guidelines  for  the  Evaluation  and 
Improvement  of  and  Reporting  on  Internal  Control  Systems  in 
the  Federal  Government.  An  evaluation  conducted  in  accord- 
ance  with  these  guidelines  is  to  provide  a  basis  for  an 
agency's  annual  statement  required  by  the  act. 

Preliminary  Evaluation  of  Safeguards 

A  judgment  regarding  the  existence  and  adequacy  of  internal 
control  over  an  assessable  unit.  This  evaluation  is  the 
third  step  in  the  vulnerability  assessment  process  required 
by  the  OMB  Guidelines.  The  evaluation  is  preliminary,  in 
that  a  more  in-depth  review  of  internal  controls  is  the 
focus  of  the  internal  control  review  phase.  The  prelimi¬ 
nary  evaluation  of  controls  required  here  should  be  based 
largely  on  the  evaluator's  working  knowledge  of  the  exist¬ 
ence  and  functioning  of  internal  controls  in  the  subject 
assessable  unit. 

Program 

Generally,  an  organized  set  of  activities  directed  toward  a 
common  purpose  or  goal ,  and  undertaken  or  proposed  by  an 
agency  in  order  to  carry  out  its  responsibilities.  In 
practice,  however,  the  term  "program"  has  many  meanings. 

It  is  used  to  describe  the  agency's  mission,  functions, 
activities,  services,  projects,  and  processes. 

Reasonable  Assurance 


Internal  control  systems  should  provide  reasonable,  but  not 
absolute,  assurance  that  the  objectives  of  the  system  will 
be  accomplished.  This  concept  recognizes  that  the  cost  of 
internal  control  should  not  exceed  the  benefit  expected  to 
be  derived  therefrom,  and  that  the  benefits  consist  of 
reductions  in  the  risks  of  failing  to  achieve  stated 
objectives.  Estimates  and  judgments  are  required  to  assess 
the  expected  benefits  and  related  costs  of  internal 
controls.  Errors  or  irregularities  may  occur  and  not  be 
detected  because  of  inherent  limitations  in  any  internal 
control,  including  those  resulting  from  resource 
constraints,  or  congressional  restrictions.  "Reasonable 
Assurance"  is  one  of  the  Comptroller  General's  Standards 
for  Internal  Controls  in  the  Federal  Government. 
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Segmentation 

The  process  by  which  an  agency  identifies  its  assessable 
units;  i.e.,  its  programs  and  administrative  functions. 

The  inventory  of  assessable  units  developed  as  a  result  of 
this  process  must  be  appropriately  detailed  so  as  to  pro¬ 
vide  a  basis  for  the  conduct  of  meaningful  vulnerability 
assessments.  The  OMB  Guidelines  provide  that  all  the 
agency  activities,  except  those  concerned  with 
policymaking,  should  be  included  in  the  inventory. 

There  is  no  single  best  method  to  segment  an  agency, 
particularly  in  light  of  variations  in  agency  organization 
structure  and  responsibilities. 

Specific  Risk 

A  judgment  regarding  the  likelihood  and  magnitude  of  error 
or  irregularity  in  the  event  cycle  being  evaluated.  These 
judgments  represent  an  essential  element  of  the  fourth  step 
recommended  by  OMB  in  its  Guidelines  for  an  internal  con¬ 
trol  review;  "Evaluation  of  the  internal  controls  within 
the  event  cycle."  The  judgment  regarding  specific  risk  is 
based  on  a  comparison  of  control  objectives  with  related 
control  techniques.  Based  on  this  evaluation,  the  amount 
and  type  of  control  testing,  OMB's  fifth  step  in  an  inter¬ 
nal  control  review,  will  be  determined. 

Testing 

The  examination  of  available  evidence  to  determine  whether 
internal  controls  are  functioning  as  intended.  Testing  is 
the  fifth  step  recommended  in  OMB's  Guidelines  for  the  per¬ 
formance  of  an  internal  control  review. 


The  nature  of  the  controls,  the  significance  of  the  cycle, 
importance  of  control  objective,  the  nature  of  the  specific 
risks,  possible  compensating  controls,  testing  resources, 
and  timing  must  all  be  considered  in  developing  appropriate 
tests.  Generally,  testing  can  be  categorized  as  either 
"compliance"  or  "substantive."  Compliance  testing  is  gen¬ 
erally  used  when  the  judgment  regarding  specific  risk  has 
given  reason  to  rely  on  a  control  technique.  It  is 
designed  to  verify  if  one  or  more  internal  control  tech¬ 
niques  are  operating.  The  other  category  of  testing, 
"substantive"  testing,  is  used  when  the  specific  risk  is 
sufficiently  great  that  the  control  cannot  be  relied  on.  A 
substantive  test  is  designed  not  to  verify  the  operation  of 
a  control  technique  but  rather  to  verify  the  results  of  the 
process  to  which  the  control  was  applied. 


Vulnerability  Assessment 

A  biennial  review  of  the  susceptibility  of  an  assessable 
unit  to  the  occurrence  of  waste,  loss,  unauthorized  use,  or 
misappropriation.  OMB's  Guidelines  prescribe  three  basic 
steps  for  the  conduct  of  vulnerability  assessment:  (1) 
analyze  the  general  control  environment,  (2)  analyze  the 
inherent  risk,  and  (3)  perform  a  preliminary  evaluation  of 
existing  safeguards. 

The  primary  purpose  of  vulnerability  assessments  is  to 
determine  if  and  in  what  sequence  resources  should  be  allo¬ 
cated  for  the  performance  of  internal  control  reviews. 
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